Merge branch 'main' into feat/integ-runner-ts

allowed-breaking-changes.txt

@@ -149,4 +149,8 @@ incompatible-argument:@aws-cdk/aws-route53-targets.InterfaceVpcEndpointTarget.<i
 changed-type:@aws-cdk/cx-api.AssetManifestArtifact.requiresBootstrapStackVersion
 
 # removed mistyped ec2 instance class
-removed:aws-cdk-lib.aws_ec2.InstanceClass.COMPUTE6_GRAVITON2_HIGH_NETWORK_BANDWITH
+removed:aws-cdk-lib.aws_ec2.InstanceClass.COMPUTE6_GRAVITON2_HIGH_NETWORK_BANDWITH
+
+# added new required property StackOutputsMap
+strengthened:@aws-cdk/pipelines.ProduceActionOptions
+strengthened:aws-cdk-lib.pipelines.ProduceActionOptions

packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts

@@ -20,10 +20,10 @@ export interface LambdaAuthorizerProps {
   /**
    * The handler for the authorizer lambda function.
    *
-   * The handler must follow a very specific protocol on the input it receives and the output it needs to produce.
-   * API Gateway has documented the handler's input specification
-   * {@link https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-input.html | here} and output specification
-   * {@link https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html | here}.
+   * The handler must follow a very specific protocol on the input it receives
+   * and the output it needs to produce.  API Gateway has documented the
+   * handler's [input specification](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-input.html)
+   * and [output specification](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html).
    */
   readonly handler: lambda.IFunction;
 

packages/@aws-cdk/aws-apigateway/lib/lambda-api.ts

@@ -17,7 +17,7 @@ export interface LambdaRestApiProps extends RestApiProps {
   /**
    * Specific Lambda integration options.
    *
-   * @default see defaults defined in {@link LambdaIntegrationOptions}.
+   * @default see defaults defined in `LambdaIntegrationOptions`.
    */
   readonly integrationOptions?: LambdaIntegrationOptions;
 

packages/@aws-cdk/aws-apigateway/lib/method.ts

@@ -25,9 +25,9 @@ export interface MethodOptions {
    * Method authorization.
    * If the value is set of `Custom`, an `authorizer` must also be specified.
    *
-   * If you're using one of the authorizers that are available via the {@link Authorizer} class, such as {@link Authorizer#token()},
+   * If you're using one of the authorizers that are available via the `Authorizer` class, such as `Authorizer#token()`,
    * it is recommended that this option not be specified. The authorizer will take care of setting the correct authorization type.
-   * However, specifying an authorization type using this property that conflicts with what is expected by the {@link Authorizer}
+   * However, specifying an authorization type using this property that conflicts with what is expected by the `Authorizer`
    * will result in an error.
    *
    * @default - open access unless `authorizer` is specified

packages/@aws-cdk/aws-apigateway/lib/restapi.ts

@@ -616,7 +616,7 @@ export abstract class RestApiBase extends Resource implements IRestApi {
 /**
  * Represents a REST API in Amazon API Gateway, created with an OpenAPI specification.
  *
- * Some properties normally accessible on @see {@link RestApi} - such as the description -
+ * Some properties normally accessible on @see `RestApi` - such as the description -
  * must be declared in the specification. All Resources and Methods need to be defined as
  * part of the OpenAPI specification file, and cannot be added via the CDK.
  *

packages/@aws-cdk/aws-appmesh/lib/http-route-path-match.ts

@@ -2,7 +2,7 @@ import { Construct } from 'constructs';
 import { CfnGatewayRoute, CfnRoute } from './appmesh.generated';
 
 /**
- * The type returned from the `bind()` method in {@link HttpRoutePathMatch}.
+ * The type returned from the `bind()` method in `HttpRoutePathMatch`.
  */
 export interface HttpRoutePathMatchConfig {
   /**
@@ -94,7 +94,7 @@ class HttpRouteWholePathMatch extends HttpRoutePathMatch {
 }
 
 /**
- * The type returned from the `bind()` method in {@link HttpGatewayRoutePathMatch}.
+ * The type returned from the `bind()` method in `HttpGatewayRoutePathMatch`.
  */
 export interface HttpGatewayRoutePathMatchConfig {
   /**

packages/@aws-cdk/aws-appmesh/lib/tls-certificate.ts

@@ -3,7 +3,7 @@ import { Construct } from 'constructs';
 import { CfnVirtualNode } from './appmesh.generated';
 
 /**
- * A wrapper for the tls config returned by {@link TlsCertificate.bind}
+ * A wrapper for the tls config returned by `TlsCertificate.bind`
  */
 export interface TlsCertificateConfig {
   /**

packages/@aws-cdk/aws-autoscaling/lib/volume.ts

@@ -48,22 +48,22 @@ export interface EbsDeviceOptionsBase {
   /**
    * The number of I/O operations per second (IOPS) to provision for the volume.
    *
-   * Must only be set for {@link volumeType}: {@link EbsDeviceVolumeType.IO1}
+   * Must only be set for `volumeType`: `EbsDeviceVolumeType.IO1`
    *
    * The maximum ratio of IOPS to volume size (in GiB) is 50:1, so for 5,000 provisioned IOPS,
    * you need at least 100 GiB storage on the volume.
    *
    * @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html
    *
-   * @default - none, required for {@link EbsDeviceVolumeType.IO1}
+   * @default - none, required for `EbsDeviceVolumeType.IO1`
    */
   readonly iops?: number;
 
   /**
    * The EBS volume type
    * @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html
    *
-   * @default {@link EbsDeviceVolumeType.GP2}
+   * @default `EbsDeviceVolumeType.GP2`
    */
   readonly volumeType?: EbsDeviceVolumeType;
 

packages/@aws-cdk/aws-batch/lib/job-definition-image-config.ts

@@ -19,7 +19,7 @@ interface TaskDefinitionProps {
  * Batch Job Task Definition
  *
  * Defines a Batch Job Task Definition. The properties of this task definition mirrors
- * those of an {@link ecs.ContainerDefinition}. This class is a wrapper on that structure.
+ * those of an `ecs.ContainerDefinition`. This class is a wrapper on that structure.
  */
 class TaskDefinition {
   /**

packages/@aws-cdk/aws-batch/lib/job-definition.ts

@@ -244,7 +244,7 @@ export interface JobDefinitionContainer {
 }
 
 /**
- * Construction properties of the {@link JobDefinition} construct.
+ * Construction properties of the `JobDefinition` construct.
  */
 export interface JobDefinitionProps {
   /**
@@ -361,14 +361,14 @@ export interface INodeRangeProps {
    * to the number of nodes associated with the job. You may nest node ranges, for example 0:10 and 4:5,
    * in which case the 4:5 range properties override the 0:10 properties.
    *
-   * @default {@link IMultiNodeprops.count}
+   * @default `IMultiNodeprops.count`
    */
   toNodeIndex?: number;
 }
 
 /**
  * An interface representing a job definition - either a new one, created with the CDK, *using the
- * {@link JobDefinition} class, or existing ones, referenced using the {@link JobDefinition.fromJobDefinitionArn} method.
+ * `JobDefinition` class, or existing ones, referenced using the `JobDefinition.fromJobDefinitionArn` method.
  */
 export interface IJobDefinition extends IResource {
   /**

packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts

@@ -242,7 +242,7 @@ export class Certificate extends CertificateBase implements ICertificate {
     }
 
     // check if domain name is 64 characters or less
-    if (props.domainName.length > 64) {
+    if (!Token.isUnresolved(props.domainName) && props.domainName.length > 64) {
       throw new Error('Domain name must be 64 characters or less');
     }
 

packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts

@@ -3,6 +3,7 @@ import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
 import * as route53 from '@aws-cdk/aws-route53';
 import * as cdk from '@aws-cdk/core';
+import { Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CertificateProps, ICertificate } from './certificate';
 import { CertificateBase } from './certificate-base';
@@ -87,7 +88,7 @@ export class DnsValidatedCertificate extends CertificateBase implements ICertifi
     this.region = props.region;
     this.domainName = props.domainName;
     // check if domain name is 64 characters or less
-    if (this.domainName.length > 64) {
+    if (!Token.isUnresolved(props.domainName) && props.domainName.length > 64) {
       throw new Error('Domain name must be 64 characters or less');
     }
     this.normalizedZoneName = props.hostedZone.zoneName;

packages/@aws-cdk/aws-certificatemanager/test/certificate.test.ts

@@ -1,6 +1,6 @@
 import { Template, Match } from '@aws-cdk/assertions';
 import * as route53 from '@aws-cdk/aws-route53';
-import { Duration, Lazy, Stack } from '@aws-cdk/core';
+import { Aws, Duration, Lazy, Stack } from '@aws-cdk/core';
 import { Certificate, CertificateValidation } from '../lib';
 
 test('apex domain selection by default', () => {
@@ -91,6 +91,37 @@ test('throws when domain name is longer than 64 characters', () => {
   }).toThrow(/Domain name must be 64 characters or less/);
 });
 
+test('does not throw when domain name is longer than 64 characters with tokens', () => {
+  const stack = new Stack();
+  const embededToken = Aws.REGION;
+  const baseDomain = 'a'.repeat(65-embededToken.length);
+  const domainName = `${embededToken}${baseDomain}`;
+  new Certificate(stack, 'Certificate', {
+    domainName,
+    validation: CertificateValidation.fromEmail({
+      [domainName]: 'example.com',
+    }),
+  });
+
+  const domainNameJoin = {
+    'Fn::Join': [
+      '',
+      [
+        {
+          Ref: 'AWS::Region',
+        },
+        baseDomain,
+      ],
+    ],
+  };
+  Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', {
+    DomainName: domainNameJoin,
+    DomainValidationOptions: [{
+      DomainName: domainNameJoin,
+      ValidationDomain: 'example.com',
+    }],
+  });
+});
 
 test('needs validation domain supplied if domain contains a token', () => {
   const stack = new Stack();

packages/@aws-cdk/aws-certificatemanager/test/dns-validated-certificate.test.ts

@@ -1,7 +1,7 @@
 import { Template } from '@aws-cdk/assertions';
 import * as iam from '@aws-cdk/aws-iam';
 import { HostedZone, PublicHostedZone } from '@aws-cdk/aws-route53';
-import { App, Stack, Token, Tags, RemovalPolicy } from '@aws-cdk/core';
+import { App, Stack, Token, Tags, RemovalPolicy, Aws } from '@aws-cdk/core';
 import { DnsValidatedCertificate } from '../lib/dns-validated-certificate';
 
 test('creates CloudFormation Custom Resource', () => {
@@ -252,6 +252,47 @@ test('throws when domain name is longer than 64 characters', () => {
   }).toThrow(/Domain name must be 64 characters or less/);
 }),
 
+test('does not throw when domain name is longer than 64 characters with tokens', () => {
+  const stack = new Stack();
+  const zoneName = 'example.com';
+  const exampleDotComZone = new PublicHostedZone(stack, 'ExampleDotCom', {
+    zoneName,
+  });
+  const embededToken = Aws.REGION;
+  const baseSubDomain = 'a'.repeat(65 - embededToken.length -1 -zoneName.length);
+  const domainName = `${embededToken}${baseSubDomain}.${zoneName}`;
+
+  new DnsValidatedCertificate(stack, 'Cert', {
+    domainName,
+    hostedZone: exampleDotComZone,
+    transparencyLoggingEnabled: false,
+  });
+
+  Template.fromStack(stack).hasResourceProperties('AWS::CloudFormation::CustomResource', {
+    ServiceToken: {
+      'Fn::GetAtt': [
+        'CertCertificateRequestorFunction98FDF273',
+        'Arn',
+      ],
+    },
+    DomainName: {
+      'Fn::Join': [
+        '',
+        [
+          {
+            Ref: 'AWS::Region',
+          },
+          `${baseSubDomain}.${zoneName}`,
+        ],
+      ],
+    },
+    HostedZoneId: {
+      Ref: 'ExampleDotCom4D1B83AA',
+    },
+    CertificateTransparencyLoggingPreference: 'DISABLED',
+  });
+});
+
 test('test transparency logging settings is passed to the custom resource', () => {
   const stack = new Stack();
 

packages/@aws-cdk/aws-cloudformation/lib/custom-resource.ts

@@ -13,7 +13,7 @@ export type Properties = {[key: string]: any};
 /**
  * Configuration options for custom resource providers.
  *
- * @deprecated used in {@link ICustomResourceProvider} which is now deprecated
+ * @deprecated used in `ICustomResourceProvider` which is now deprecated
  */
 export interface CustomResourceProviderConfig {
   /**

packages/@aws-cdk/aws-cloudfront-origins/lib/origin-group.ts

@@ -1,7 +1,7 @@
 import * as cloudfront from '@aws-cdk/aws-cloudfront';
 import { Construct } from 'constructs';
 
-/** Construction properties for {@link OriginGroup}. */
+/** Construction properties for `OriginGroup`. */
 export interface OriginGroupProps {
   /**
    * The primary origin that should serve requests for this group.

packages/@aws-cdk/aws-cloudfront/README.md

@@ -91,7 +91,7 @@ your domain name, and provide one (or more) domain names from the certificate fo
 
 The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate
 may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections
-from SNI only and a minimum protocol version of TLSv1.2_2021 if the `@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021` feature flag is set, and TLSv1.2_2019 otherwise. 
+from SNI only and a minimum protocol version of TLSv1.2_2021 if the `@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021` feature flag is set, and TLSv1.2_2019 otherwise.
 
 ```ts
 // To use your own domain name in a Distribution, you must associate a certificate
@@ -340,6 +340,8 @@ const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'Resp
     strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
     xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
   },
+  removeHeaders: ['Server'],
+  serverTimingSamplingRate: 50,
 });
 new cloudfront.Distribution(this, 'myDistCustomPolicy', {
   defaultBehavior: {
@@ -620,7 +622,7 @@ configuration properties have been changed:
 | `loggingConfig`                | `enableLogging`; configure with `logBucket` `logFilePrefix` and `logIncludesCookies`           |
 | `viewerProtocolPolicy`         | removed; set on each behavior instead. default changed from `REDIRECT_TO_HTTPS` to `ALLOW_ALL` |
 
-After switching constructs, you need to maintain the same logical ID for the underlying [CfnDistribution](https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-cloudfront.CfnDistribution.html) if you wish to avoid the deletion and recreation of your distribution. 
+After switching constructs, you need to maintain the same logical ID for the underlying [CfnDistribution](https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-cloudfront.CfnDistribution.html) if you wish to avoid the deletion and recreation of your distribution.
 To do this, use [escape hatches](https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html) to override the logical ID created by the new Distribution construct with the logical ID created by the old construct.
 
 Example:
@@ -776,7 +778,7 @@ new cloudfront.CloudFrontWebDistribution(this, 'MyCfWebDistribution', {
 });
 ```
 
-Becomes: 
+Becomes:
 
 ```ts
 declare const sourceBucket: s3.Bucket;
@@ -795,8 +797,8 @@ cfnDistribution.addPropertyOverride('ViewerCertificate.SslSupportMethod', 'sni-o
 
 ### Other changes
 
-A number of default settings have changed on the new API when creating a new distribution, behavior, and origin. 
-After making the major changes needed for the migration, run `cdk diff` to see what settings have changed. 
+A number of default settings have changed on the new API when creating a new distribution, behavior, and origin.
+After making the major changes needed for the migration, run `cdk diff` to see what settings have changed.
 If no changes are desired during migration, you will at the least be able to use [escape hatches](https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html) to override what the CDK synthesizes, if you can't change the properties directly.
 
 ## CloudFrontWebDistribution API
@@ -1002,7 +1004,7 @@ The following example command uses OpenSSL to generate an RSA key pair with a le
 openssl genrsa -out private_key.pem 2048
 ```
 
-The resulting file contains both the public and the private key. The following example command extracts the public key from the file named `private_key.pem` and stores it in `public_key.pem`. 
+The resulting file contains both the public and the private key. The following example command extracts the public key from the file named `private_key.pem` and stores it in `public_key.pem`.
 
 ```bash
 openssl rsa -pubout -in private_key.pem -out public_key.pem
@@ -1028,4 +1030,4 @@ new cloudfront.KeyGroup(this, 'MyKeyGroup', {
 See:
 
 * https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
-* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html 
+* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html

packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

@@ -707,7 +707,7 @@ export enum LambdaEdgeEventType {
 
 /**
  * Represents a Lambda function version and event type when using Lambda@Edge.
- * The type of the {@link AddBehaviorOptions.edgeLambdas} property.
+ * The type of the `AddBehaviorOptions.edgeLambdas` property.
  */
 export interface EdgeLambda {
   /**

packages/@aws-cdk/aws-cloudfront/lib/function.ts

@@ -202,7 +202,7 @@ export enum FunctionEventType {
 
 /**
  * Represents a CloudFront function and event type when using CF Functions.
- * The type of the {@link AddBehaviorOptions.functionAssociations} property.
+ * The type of the `AddBehaviorOptions.functionAssociations` property.
  */
 export interface FunctionAssociation {
   /**

packages/@aws-cdk/aws-cloudfront/lib/origin.ts

@@ -4,7 +4,7 @@ import { CfnDistribution } from './cloudfront.generated';
 
 /**
  * The failover configuration used for Origin Groups,
- * returned in {@link OriginBindConfig.failoverConfig}.
+ * returned in `OriginBindConfig.failoverConfig`.
  */
 export interface OriginFailoverConfig {
   /** The origin to use as the fallback origin. */
@@ -18,7 +18,7 @@ export interface OriginFailoverConfig {
   readonly statusCodes?: number[];
 }
 
-/** The struct returned from {@link IOrigin.bind}. */
+/** The struct returned from `IOrigin.bind`. */
 export interface OriginBindConfig {
   /**
    * The CloudFormation OriginProperty configuration for this Origin.